The Goverment Accountability Office last year disclosed that there had been more than 67,000 intrusions in 2014 into computer systems belonging to 24 major federal agencies.

By James Rose, McClatchy Washington Bureau
/
July 28, 2016

(TNS) — WASHINGTON — The accusations and counter-charges flying between Russia and the United States over a massive leak of Democratic Party emails recall stranger-than-fiction episodes from the Cold War, but now the high-stakes espionage game is taking place in cyberspace and features digital malware instead of dead drops.

The release by WikiLeaks of 19,252 internal emails from the Democratic National Committee sparked an FBI investigation and prompted the resignation of Rep. Debbie Wasserman Schultz from her party’s chairmanship due to alleged bias shown in the emails toward Hillary Clinton over Sen. Bernie Sanders.

Senior campaign aides to Clinton, under political fire for her mishandling of emails while she was secretary of state, quickly blamed the release on two Russian cyberspook groups nicknamed “Fancy Bear” and “Cozy Bear” that are believed to have close ties to Moscow’s intelligence agencies and military services.

RELATED

The alleged motivation of Fancy Bear and Cozy Bear? The Kremlin is said to favor Republican nominee Donald Trump, who has spoken admiringly of Russian President Vladimir Putin and just last week criticized NATO, the trans-Atlantic alliance formed after World War II to counter Soviet expansion. Putin, in response, called Trump “a very bright and talented man.”

The evidence of Putin support for Trump is at the moment merely circumstantial — the Russian president has criticized Clinton previously for what he said was her interference in Russia’s 2011 disputed election results, and some members of Trump’s campaign staff have worked with Russia before.

But the controversy at a minimum reflects the growing threat of cyberwarfare among a group of U.S. allies and adversaries that include Britain, Israel, Russia, China, Iran and North Korea. The battles remain largely unseen, except when they result in spectacular moments, such as Wasserman Schultz’s abrupt resignation before the start of the Democratic National Convention.

The Goverment Accountability Office, the investigative arm of Congress, last year disclosed that there had been more than 67,000 intrusions in 2014 into computer systems belonging to 24 major federal agencies, including the Pentagon, the State Department, the Treasury, the Commerce Department, NASA and the Homeland Security Department. While it didn’t tie any of the intrusions to a specific foreign government, it said China, Russia, Iran and North Korea are among the most aggressive cyberculprits.

James Clapper, director of national intelligence, made a rare public admission last September that American cybertactics go beyond defensive measures.

That comment drew a sharp retort from the panel’s chairman, Sen. John McCain, R-Ariz., who’d convened the hearing to probe China’s alleged cybertheft from Office of Personnel Management’s database of records belonging to 22 million federal employees.

“So it’s OK for (the Chinese) to steal our secrets that are most important because we live in a glass house?” McCain asked.

“I’m just saying that both nations engage in this,” Clapper responded.

Cybersecurity experts are divided over whether Moscow is behind the DNC email theft. The FBI is investigating, and a computer security firm, CrowdStrike, working for the DNC, has said it’s convinced Russia was behind it.

Democratic politicians quickly weighed in, with Rep. Adam Schiff of California, the senior Democrat on the House Intelligence Committee, and California Sen. Dianne Feinstein, his counterpart on the Senate Intelligence Committee, demanding in a letter to President Barack Obama that “any Intelligence Community assessments related to the DNC hack” be made public.

The office of Sen. Richard Burr, the North Carolina Republican who chairs the Senate Intelligence Committee, said he’ll wait for the completion of the FBI investigation before reaching a conclusion. “Public discussion about attribution and possible responses are premature, at best,” an emailed statement said.

Donald Vilfer, a former FBI computer-crime specialist and director of digital forensics for Califorensics, a Sacramento-based cybersecurity firm, said it’s too early to know for sure what took place.

Vilfer knows all about “Fancy Bear” and” Cozy Bear,” which are believed to have close ties to Moscow’s intelligence agencies and military services. But he’s not sold on the notion, floated by other analysts, that either of them stole the DNC email cache. For one, he’s skeptical a state-sponsored organization would have chosen to disseminate the information via WikiLeaks, a website that’s made its reputation publishing government information obtained from individuals.

“You’d have to ask yourself why a state-sponsored organization would give it to WikiLeaks,” Vilfer told McClatchy. “Is it undermining the Clinton campaign because the Russians favor Trump? It almost seems a little too crazy, but in this election year, nothing’s too crazy, I guess.”

Even if Fancy Bear or Cozy Bear turn out to be the original source of the WikiLeaks email trove, Vilfer said skilled cyberthieves normally take great care in fencing their stolen digital goods, leaving in doubt whether WikiLeaks would actually know where the data came from.

“There often will be multiple hops that data will take from one country to another in order to mask where the intrusion originated or where the data ultimately ended up,” he said. “I had one case with the FBI that took almost three years to follow through all the hops and eventually lead to Russian freelance hackers.”

Giovanni Masucci, president of National Digital Forensics in Raleigh, N.C., said cyberdetectives often are able to recognize the “signatures” of hackers in the computer code they use to infiltrate servers and networks. “Most malware is custom-written,” Masucci said. “You’ll get variations in the code that’s embedded in the malware.”

But Masucci added that skilled cyberthieves have learned how to imitate the coding of other hackers or even a particular government agency, making detection less certain. “Malware can be made to look like it came from a certain hacker group, but it was mimicked,” he said.

CrowdStrike, which the DNC hired in May to investigate a possible breach of its computer network, remains certain of its conclusion that Fancy Bear and Cozy Bear, also are known as APT28 and APT29, had infiltrated the DNC’s digital system.

When a separate hacker named Guccifer 2.0, who said he was Romanian, claimed to be the cyberthief last month, CrowdStrike took the unusual step of publicly rebuking him and dismissing his online posts as “part of a Russian intelligence disinformation campaign” intended to deflect blame from the Kremlin.

“CrowdStrike stands fully by its analysis and findings identifying two separate Russian intelligence-affiliated adversaries present in the DNC network in May 2016,” Dmitri Alperoviych, a Russian-born executive with CrowdStrike, wrote in a blog.

Alperovitch became famous among cybersleuths in 2011 when, while working for the McAfee security-software company, he wrote a report fingering the Chinese government for Operation Aurora, a prolonged cyberattack on two dozen American high-tech firms and defense contractors, including Google, Yahoo and Northrop Grumman.

Clinton, then secretary of state, admonished China in one of the first instances of a major nation blaming another for a cyberoffensive. Operation Aurora is still considered among the most dangerous acts of cyberwarfare waged to date.

In his CrowdStrike blog, Alperovitch expressed grudging admiration for Fancy Bear, which is believed to be tied to the GRU, the foreign military intelligence arm of the Russian Armed Forces, and Cozy Bear, which has been linked to civilian Russian intelligence.

“We’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well,” he wrote. “In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hactivist/terrorist groups we encounter on a daily basis.”

Indeed, he wrote, another element points to Russian involvement in the DNC hack: Fancy Bear and Cozy Bear were both inside the Democratic network, but neither hacker group seemed to be aware of the other’s presence.

“While you would virtually never see Western intelligence agencies going after the same target for fear of compromising each other’s operations, in Russia this is not an uncommon scenario,” he said, noting that Russian intelligence agencies are well known for not sharing information.

Julian Assange, the Australian-born founder of WikiLeaks, has said he doesn’t know the source of the emails and that “there is no proof whatsoever” that Moscow was the source.

“If we’re talking about the DNC, there’s lots of consultants that have access, lots of programmers,” Assange said.